The disclosure generally relates to data processing systems and, more specifically, to techniques for attesting data processing systems.
Trusted boot is a process for booting and establishing a chain of trust in a computing system. With reference to data processing environment 100 of FIG. 1, for example, a system administrator takes delivery of a server (e.g., managed system 120) and proceeds to install system software. Managed system 120 includes a secure device 125, e.g. a Trusted Platform Module (TPM). Once managed system 120 is configured and booted, each component (hardware and/or software) of managed system 120 cryptographically measures another component and can “extend” (but not directly write to) a measurement value in a platform configuration register (PCR) of TPM 125.
Each component is also operable to access an event log in order to write data associated with the measurement of a component into an entry associated with the event log. The measurements can be remotely attested by a managing system 105 which has a database 115 to store expected attestation values for components of each managed system. The values are typically stored along with some metadata describing what the values mean. Managing system 105 includes a TPM emulator 110 that, for example, compares the measurements with the values. If there is no match between the measurements and the values, typically, managing system 105 has to further compare the measurements against a (large) list (e.g., a reference manifest) of measurement values provided by manufacturers of components. Typically, a reference manifest includes a large number of measurement values associated with each component of managed system 120 and these measurement values can be taken to be ‘trusted’.
The remote attestation process may be initiated by either a managing or managed system. Changes to managed system 120 can be detected by subsequent trusted boot and remote attestation processes. The above processes are described, for example, in section 4 of the Trusted Computing Group (TCG) Specification Architecture Overview; Specification; Revision 1.4; 2nd Aug. 2007 and section 2 of the TCG Infrastructure Working Group Architecture Part II—Integrity Management; Specification Version 1.0; Revision 1.0; 17th Nov. 2006.
As described above, attestation is currently concerned with verifying a single machine, be it a physical machine with a real TPM or a virtual machine (VM) with a virtual TPM. Verifying individual machines is a reasonable approach for owners of individual machines. However, end-users or corporations may deal in a granularity much larger than a single machine. For example, a large corporation may wish to attest each of its VMs on a particular physical machine, each of its VMs within a particular machine pool, or each of its physical machines at a particular site. Similarly, datacenter owners may care about the integrity of their entire datacenter (and possibly sub-clusters within the entire datacenter). Instead of single machines, an entity may be concerned with tens, hundreds or even thousands of machines.